4

I want to scan for powered on computers on my LAN and gather logs about that. I tried nmap but it didn't work very well (a lot of switched on computers are not getting detected). 

nmap -sP 192.168.2.0/24
Nmap done: 256 IP addresses (10 hosts up) scanned in 6.07 seconds

I also thought about looking at network TCP packets for IPs, but I don't know of any tool ready to do that.

On this network, all computers have static IPs associated, so a IP identifies a computer. The PCs have different operating systems (Windows 7, Ubuntu 10.04, Ubuntu 12.04 and more).

What's my best chance?

Drt
  • 404
  • 2
  • 6
  • 18
Jorge Suárez de Lis
  • 391
  • 8
  • 22

6 Answers6

3

Have you tried other scan options from nmap? The ping option may not always work, but other scan options may be more reliable? Try,

nmap -PS 192.168.2.0/24 (TCP SYN ping)

or

nmap -PR 192.168.2.0/24 (ARP scan)

EightBitTony
  • 9,311
  • 1
  • 34
  • 46
2

Try Look@LAN to scan for powered on computers.

There are alternatives to Look@LAN and some of them are even free or free and open source.
Personally I can recommend the Angry IP Scanner which is OpenSource and multiplatform or Advanced IP Scanner which is made for Windows platforms and not OpenSource but free.

wullxz
  • 1,073
  • 2
  • 16
  • 29
1

ping -b the broadcast IP then arp -a

cyberhicham
  • 202
  • 2
  • 13
  • 1
    afaik, only linux clients will respond to a broadcast (if not explicitly blocked). Windows clients don't. – wullxz Jan 18 '13 at 09:58
  • `arp -a` on a router should have all the machines though. If one does have a domain controller, running `arp -a` on it should give similar results – Hubert Kario Jan 18 '13 at 10:21
  • 1
    Some of the target machines aren't windows, so the Domain Controller option is probably not that useful. – EightBitTony Jan 18 '13 at 10:24
  • FWIW, I just tried `ping -b` followed by `arp -a` and the results were missing two machines I know to be switched on. – John Gardeniers Jan 18 '13 at 12:28
  • I tried it myself and I got all the machines (even the windows machine and a windows vm whose not showed with ``ping -b BroadcastIP`` – cyberhicham Jan 18 '13 at 12:30
1

It seems that the problem was the probing rate (too much packets per second?). Using the parameter --max-rate made it performance much better. It takes ages to run, but at least it works.

$ nmap -sP --max-rate 1  192.168.2.0/24
...
Nmap done: 242 IP addresses (67 hosts up) scanned in 434.04 seconds
Jorge Suárez de Lis
  • 391
  • 8
  • 22
1

ARP scan (-PR) is the default in a LAN. Besides, you can also use advanced ping options such as nmap -PS21-23,80,135,139,443,445 target

Or scan the 1000 most common ports (or even all ports -p-) without ping nmap -Pn -p- target which is somewhat slower.

blau
  • 738
  • 4
  • 9
0

arpwatch can come very handy for getting a first impression on what is going on; the be-all-end-all tool to see details would be wireshark (even better in conjunction with a switch that has a monitoring port configured or a similar network tap). BTW, since you appear to be new to such techniques: using such tools in a professional setting is acceptable in two situations: a) you are a developer and analysing ONLY the traffic concerning your application under test, b) you are among the people responsible for the network/infrastructure/servers and/or have have been asked or allowed to do so by these people. Anything else will usually be considered suspicious or hostile activity by the same people and might lead to having some explaining to do.

rackandboneman
  • 2,577
  • 11
  • 8